An Overview of Regulations Around the World and Why They Matter

The healthcare industry is one of the top targets for cybercriminals, but it’s not alone. Insurance companies, financial firms, universities and schools, social media and online commerce companies are all at risk and, therefore, have regulations they must adhere to. Basically, if a company or organization handles any personally identifiable information, or PII, you can bet there’s a compliance or regulation standard that must be followed. Here are just a few from around the world that are designed to keep data secure.

HIPAA (United States)

Signed into law back in 1996, the Health Insurance Portability and Accountability Act is designed to make sure that medical information is kept confidential and private and only used for its intended purpose. This means that medical information, defined by HIPAA as protected health information, or PHI, can only be collected, shared, stored, and used for legitimate reasons and must be properly protected.

FERPA (United States)

Sometimes referred to simply as the Privacy Act, or the Buckley Amendment, FERPA is the Family Educational Rights and Privacy Act. It protects both the privacy and security of certain kinds of educational records. It gives students, former students, auditing students, and others privacy rights with respect to personally identifiable educational records.

GDPR (Europe)

The official implementation of the General Data Protection Regulation is right around the corner (May 25, 2018) and will replace the current EU Data Protection Directive. Its goal is to extend the regulations of data privacy for European residents to foreign countries, as well as normalize data protections across the European Union. It applies to any organization that processes or controls data of EU residents, regardless of where the organization is located worldwide.

Cybersecurity Law (China)

Adopted by the National People’s Congress in November 2016, and officially activated in June 2017, China’s Cybersecurity Law presents a significant upgrade of data privacy in the world’s second largest economy.

China already had various laws and regulations in place. The Cybersecurity Law further defines how personal data may be collected, stored, and transferred, and expands the rights of individuals who have their data accessed. It also establishes more robust processes for protecting critical information infrastructure such as energy, finance, transportation, and water conservation. Read more here: https://assets.kpmg.com/content/dam/kpmg/cn/pdf/en/2017/02/overview-of-cybersecurity-law.pdf

APPI (Japan)

Japan’s Act on the Protection of Personal Information, or APPI, is one of the longest standing laws in Asia, dating back to 2003. In 2016, Japan appointed the Personal Information Protection Commission to supervise and enforce amendments to APPI, the goal of which was to modernize Japan’s data protection efforts.

Don’t Forget About NIST

Initially developed for critical infrastructure, the National Institute of Standards and Technology established a framework for improving cybersecurity, now referred to simply as NIST CSF.

At the core of NIST CSF are five functions, and 22 categories within the five functions, which provide a roadmap for organizations to follow and strengthen their defense against cyber-threats. Think of it as a common language that can be understood from the top to the bottom of your organization, regardless of size or industry. Instead of being about compliance, it’s a customizable strategy that can be applied to existing security programs or used to build one from the ground up.

Although it’s not an official regulation or required compliance (in fact, it’s completely voluntary) the NIST Cybersecurity Framework offers tremendous upside for organizations of all shapes and sizes. Read more about it here: https://www.nist.gov/cyberframework

Why Compliance Matters to Your Organization

Organizations of all sizes and every industry are targets, and therefore, have a twofold responsibility: knowing which compliance regulations they must adhere to, and ensuring that end-users are aware of those regulations. But simply checking the compliance box is not enough. Organizations must train their employees on why security matters, and how it affects them from both a personal and professional standpoint. By making security awareness training personal, your employees are much more likely to understand the importance of data protection, and much less likely to cause a data breach.

For more information on how to plan, launch, and manage a successful training program, check out our resource library, where you’ll find a ton of useful materials. And feel free to contact us with any questions regarding compliance or any other matters related to developing a culture of strong human firewalls!

Justin left the music business to focus on his true passion: writing. A talented writer and detailed researcher, he’s involved in every department here at SAC to make sure all content is fresh and up-to-date. In his spare time, Justin writes about fantasy football for FootballGuys.com and practices mixology (he makes a mean margarita).